Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
With drupal 10, when the user login failed, it will trigger flood control. When the flood control is active, it did not set $form_state error, it directly return 403 response, hence to accomodate this, alogin.module should validate against $form_state->get('uid') along with $form_state->getErrors();
Steps to reproduce
Enable the flood control, set limit to 3 or 5, try to login using wrong password. Once the flood control triggered, you will have the user logged in
Proposed resolution
alogin.module alogin_ajax_callback should validate for presence of $form_state->get('uid') and $form_state->getErrors()
Remaining tasks
User interface changes
API changes
Data model changes
Issue fork alogin-3465864
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
ahmed.raza commentedComment #3
ahmed.raza commentedComment #4
rohan_singh commentedi'll look into this.
Comment #6
rohan_singh commentedHi @ahmed.raza, I was able to reproduce the issue and created an MR for the same.
Please review.
Thanks,
Rohan Singh
Comment #10
dhruv.mittal commentedI have followed the steps to reproduce , successfully reproduce the issue and applied the MR !8 , it is resolving the issue so moving it to RTBC
And sorry I have mistakenly hide the MR!8.
Comment #13
ahmed.raza commentedThanks for the MR @Rohan, its merged and releases in ^2.1.4.
Comment #14
ahmed.raza commented